Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

siliconbits writes "A Trojan posing as a media player for Android smartphones automatically sends text messages to premium rate numbers, according to Kaspersky Lab. Company officials say the Trojan, dubbed Trojan-SMS.AndroidOS.FakePlayer.a, is the first of its kind for the Android platform, even though SMS Trojans are currently the most widespread type of malware on mobile phones."

Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

I'm interested to know if anyone's deployed a trojan on an app you actually purchase.

I'm sure this CAN be done, but has it been? I like a free app as much as the next person, but if you're not going to take the time to read what the program is capable of and paid apps are safer - then why not just purchase the full version of something similar?

Why not just take the literally 20 seconds to read what parts of the phone an app wants access to? Or at least the 5 seconds to make sure that there's nothing under the 'will cost you money' heading, unless it's an app where that makes sense (I think the only apps I have with entries under those headings are Google maps and Google voice, and both because they're allowed to initiate phone calls).

I Agree.
When I first got my Droid, I was going to install a free game until I saw it wanted access to by contacts list. The notification screen during app install is quite clear and easy to understand. There is no excuse for not reading it.

It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

I have never used SMS to do anything financial. I had it turned off after I got a bogus charge for ringtones. For th record, I create and put all my personalized ringtone directly on the phone. So for me, I was able to easily detect that charge.

It would tell you it's going to send SMS, not that they will cost you money. SO while it's sending SMS info of the songs you listening to share playlists, it also sens SMS to places that charge?

On my phone, the category in the manifest is "Services that cost you money" (in big bold letters) and then under that, as an explanation, it says "directly call phone numbers, send SMS messages."

An application which has the ability to send SMS has the ability to cost you money because it could send SMS to premium-rate numbers or out of the country. Many people wouldn't think about this, and there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

there's probably no easy way for Android to differentiate between regular SMS and premium-rate SMS.

How about an option to only send SMS messages to numbers in your address book? Or an option to require approval for each new number that the app is allowed to send messages to? Or even just a restriction based on area codes? I'm not sure how it works in the USA, but in the UK you can easily tell from a phone number whether it's a premium rate number or and overseas number...

In this place of the UK, the area code tells you very much where/what you're calling, be it a normal landline, mobile, premium or free number. Even the cost of the number is often specified just in the area code. And if that's not enough there's a website which does premium rate phone number lookups. (Hint: 08 and 09, apart from 0800, are generally costy)

I think they're referring to premium SMS messages, not phone calls. Those are not always a phone number - often shorter (like These folks [texttopledge.com]).

I have seen ads to text 90999 with the word Haiti in the body to donate the the Red Cross for example. I never have actually used one of those donation methods, but the "phone number," if you will, is only 5 digits rather than a full 10 (for North America). And the program could potentially send that message (if embedded into is programming) without additional user i

I mean, you could download an app that legitimately purports to send SMS or email messages as one of its functions. Like, say, a "social" RSS newsreader that exists to notify family and friends of interesting articles or stories.

You then approve it, give it access to your contacts and email and SMS, only to find out later on that it sends special "paid" messages like the one in the article.

It's amazing how far folks are falling over themselves to defend this type of activity on the Android platform ("well it's their own fault" and "they should have read the warning"). I hate to break it to everyone, but most Android users are not geeks, nerds, or techies. They will do just as windows users have been doing for decades and click 'OK' when prompted. Such behavior should be expected and accounted for, or provisions made to protect end users in spite of themselves.

The difference here? There is no virus scan or malware blocker to save them.

Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work? For example, take a legitimate and popular alternate phone/SMS app and modify it to call/SMS rogue numbers.

Is it possible for an app to request access to the filesystem, then modify another existing app with a payload that makes it do all the dirty work?

No. Each Android app runs as a separate Linux userid [android.com]. Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

No. Each Android app runs as a separate Linux userid [android.com]. Even if you give the app filesystem access, it can't write to files that belong to other apps, let alone rewrite the apps themselves.

That would all be fine and dandy if there were no SD cards formatted with FAT32 with no filesystem security, and things like "move apps to SD card" features on top of that. These are simply bad choices for security.

As a Linux user, I would prefer to see the SD cards on Android phones using something like ext3 rather than FAT32. However, as someone firmly in touch with the real world, I understand why they chose FAT32. Since most desktops still run Windows, most of those that don't run Windows run OS-X, and it's still (unfortunately) a relative minority like me that runs a Linux OS on their (lap|desk)tops, FAT32 is still the logical choice, despite its security issues. I do agree that the "move apps to SD card

Because at this point we all have seen when you design from the start for convenience OF THE DEVELOPER instead of security. The Windows world has been living with the consequences of that choice for decades now.

So now at the brink of a whole new wave of OS's, is not the time to repeat the mistakes of our virtual forefathers. Android could move apps into a smaller embedded filesystem in a file, but in no way should it o

Wow, that's really funny. I think this is the first time *I* have ever been called Bill Gates. Did you happen to notice my sig by any chance?

My point, which I thought was pretty clear and even though it pains me greatly to say so, was that there isn't another file system that is as widely supported out of the box as FAT32. UFS? Nope. Ext2/3/4? Nope. ReiserFS? Nope. NTFS? Nope. ZFS? Nope. There is a *reason* FAT32 is the standard for removable mass storage, even though it really sucks (especi

This could have been an arguable compromise solution. The other part - where your data on FAT32 is still wide open (pics/video/logs/whatever apps store on it) - would remain. But at least this way you could have some apps (depending on sensitivity of their info) store their data on such encrypted partition-in-a-file.

Other advantages would be:

- you could grow/shrink partition and filesystem as needed automatically by OS or manually- you could just copy one file from one SD card to another and have it automat

Because I already described how you would have the same exact functionality with an embedded file system in one large file on the DOS partition, where apps would go. That would be mounted and have proper security.

To the user everything works as it does now, it's just that underneath you can't have apps stored on an external partition infected by another app nearly as easily.

If you wanted to let users drag apps onto the removable storage you could still l

Perhaps I was not clear enough but I was envisioning a binary blob in the FAT 32 system, that was an EXt4 (or whatever) disk image.

Steve Jobs, is that you;)

Seriously, that sounds like the reason why I can't just drag MP3s to an ipod from any OS without apple software. Its all about security, right? Personally I would take the risk and retain the hack-ability.

Seriously, that sounds like the reason why I can't just drag MP3s to an ipod from any OS without apple software. Its all about security, right? Personally I would take the risk and retain the hack-ability.

I'm not saying you place all files in there, just application binaries.

Even application writable directories could be on FAT; music would certainly stay there.

There's no reason you can't leave the SD card generally writable and useful, but still prevent applications from being hacked from within.

Finally someone that understands what I am proposing. The only tricky part would be mounting that virtual partition, that would probably require some serious coding somewhere in the Android filesystem to make that work...

Another cool thing is then you could use this support elsewhere - like a small encrypted data bundle for an application that only it could decode. So it would provide fringe benefits.

True, and if the Android were to move to a better file system than FAT32, that's probably the best way to do it. But it does introduce the complexity of requiring software to access the device's file system from a Windows PC. While that may not be a big deal for TomTom (since they are the manufacturer for all TomTom devices), it becomes a somewhat bigger challenge for manufacturers of Android devices, since Motorola, HTC, etc., etc. would *all* have to include a Windows driver for the SD card. While I, f

The drivers for the EXT3 partition could simply be on the SD card itself, in a FAT32 partition. Easy enough.

But there's other reasons to keep FAT32 around: It's supported by bloody almost every hardware device with a USB port. I keep some videos and MP3s on my Droid, and it's dead simple to plug it into the car stereo or the PS3 and play whatever it is that's on there, or straight into a modern TV to do the same sort of thing. These devices don't support EXT2/3.

Because sometimes it's not that easy. I'm paranoid about what I've installed on mine, but say I make a GPS app that will show WIFI hotspot overlays on maps (cause I always wanted something like that). I now have an app that when downloaded, shows up as needing:

* GPS Location (fine)
* Network access

I also want to make it switch off during phone calls, and maybe keep the phone from sleeping:

Ask the developers? I have done this with other apps a few times and often the answer is as lame as "oops, we forgot to take it out after experimentation". The culture of minimizing permissions hasn't really taken hold yet, but with enough nagging it can. Android usually offers ways of achieving what you want without a permission, eg, the weather channel can initiate a call by triggering the dialer with a number pre-populated. The the user can make the call with a single tap. After the call ends the user is

I think this is the real answer... how to foster a culture of scepticism and caution among users that will make apps declaring unnecessary permissions get shunned in the market place. I would start, if I was Google, by putting an incentive into the market itself: "safer" apps should receive a special marking. Perhaps even appear first in search results. It should be possible to lock the phone to only access "safe" apps (sort of parental control type feature). Not big things, but enough to persuade

In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

The way an application declares its "needs" is through an element in the Android Manifest file. However, the choices are really limited to the existing Android services, and most of them have a 1 to 1 relation with the services they relate to, and nothing more granular such as "Requires GPS access using only satellites (costs nothing)", "Requires GPS access using cell towers", "Requires GPS access through paying services".

In the end, the user downloading an app sees warning that are mostly meaningless, and which appear in many other applications. It's close to impossible to spot a possibly-offensive application such as this Trojan.

In all honesty, the way Android reports what an application uses is way too weak and not granular enough. Basically, you require access to 1 URL, your application needs "Full Internet Access". Want to access the GPS data? Your application needs "Location access", "Services that may cost money", etc.

Do you use Android? It is more granular than that. Location access can specify coarse (cell location) and fine (GPS). "Services that may cost money" can specify SMS or phone calls. Many apps use a "Phone" permission that's called "Read phone state" so that it can know when you're receiving a call. Apps like Google Voice that use the "Phone" permissions also include things like "Make outgoing calls" and "Intercept calls".

It still needs to be finer, in my opinion. One thing I would really value is a sandboxed internet access that includes restrictions on the domains it can access and the amount of data it can send. I'm quite happy for an app to talk to it's own server for a cloud based service. I see no reason that the same permission should let it blindly send unlimited amounts of my phone SD card data (possibly at great expense) to a mysterious web site in China. Unfortunately the same permission covers both.

Agreed. Also, access to the SD card should be limited to an app-specific directory by default.

I'm quite happy for an app to talk to it's own server for a cloud based service. I see no reason that the same permission should let it blindly send unlimited amounts of my phone SD card data (possibly at great expense) to a mysterious web site in China.

Well, once you let an app talk to the developer's servers they can do whatever they want with the data from there. The advantage of whitelisting specific URLs is wh

Personally, I'd like to see an OS driven prompt to have access to things like contacts, messaging and phone access.

If your app needs a contact to send a message, it would have to pass that message to the OS and the OS would prompt the user for the contact to send it to. This way, no apps need access to contacts to send messages for some reason. The same applies to phone numbers, etc.

^This. The Java VM on my previous Sprint Samsung and LG feature phones (I mention the brands and provider because I don't know who pushed for such granular permissions) gave me more granular controls, meaning I could grant various permissions to an app once, never, or forever.

When I tried the Droid Incredible for a month, I was appalled to see A)How vague Android was about the type of permissions apps asked for, and B)How it Android didn't offer the same once, never or forever options as my feature phone

Yes, the user must approve giving the 'Trojan' access to sending text messages, which is included under a big banner that says "Things that can cost you money". Of course, after the 40th or 50th app installed, no one reads them anymore and just clicks the OK button, but Android does notify you of what it's capable of, and even that requires you to check the install apps from other sources button.

Fortunately, owning a G1, with limited memory storage available, I have yet to reach my 40th or 50th app install, and thus still read that stuff before I install. I figure I have about 20 more apps to go before I start skipping that section and just install without reading...

"Kaspersky officials suggest that Android users pay close attention to the services requested by an application at the time of installation"

So yeah. But it hardly makes it not a trojan; by definition trojans masquerade as legitimate apps and this one seems to be no exception. But it doesn't spread or install automatically or give itself privileges the user doesn't grant it, so it's not a big concern. Just another example of users installing that app they MUST have no matter how loudly their anti-virus sc

As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

I think that OS / software vendors that take the entire burden of security debugging on themselves by failing to provide source c

As an end user, I'd like to see an app store where liability insurance is mandatory to cover damages that users may experience from misleading or malicious closed-source apps. The insurance companies should still require source. For totally open source apps, the store should indicate if/what independent volunteer group (or one funded by a small per-app fee) has reviewed the app.

All you'd really get out of that is a false sense of security and a scapegoat to shake your finger at.

This is an app which is not installed via the Android Market. You have to first enable the installation of apps from outside the Market (an option in system settings). Once you've made that change, neither Google nor any other entity controls what you install on your phone any longer.

Also, you still have to go through a screen which warns that this application requires special permissions; the ability to send SMS's is listed under a big bold heading along the lines of "Things which may cost you money."

If you install something that says "THIS WILL COST YOU MONEY", and it sends SMS that costs you money, how exactly is that a "trojan"?

Because it says it does one things and actually does another. That's what a trojan is.

The fact that the installation tells you it can cost you money and people still install it means people are idiots. This is like anti-virus popping up and saying, application has been detected to do something which doesn't correspond to the type of application you are installing. Wish to continue? The fact this is news worthy implies headline, "User willingly and knowingly accepts virus - anti-virus and Windows is to blame

Why bother? I read it, and I still don't know silly details like what the name of this app is, or whether it's been pulled from the Android Market. Actually, now that I think about it, I don't even know *if* it was in the Android Market, or if it's a side-load app. For all I know, Kaspersky "discovered" a proof-of-concept app that they developed themselves. Yeah, that last bit is pretty unlikely, but reading TFA is no help at all in ruling it out.....

While there could definitely be such an app, the article definitely sounds like an advertisement for their product rather than a security notification.

It seems like its gotten to the point that anything that comes out of Kapersky, Sophos, Symantec, et al, is just a bunch of far-fetched hype for some product or service they are hawking. These guys have become so transparent that I have concluded that they are just a higher grade of spammers.

This was the same problem with the screen saver app that also did something malicious. Couldn't find the name of the app just said that it was out there. This is starting to bother me; tell me what the app, where it was installed from is and who the developer is.

However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do. This is no trojan this is a case of user's not wanting to be responsible for the security of their devices.

I really can't agree there. I'd still be inclined to categorize it as a trojan since it's disguised as a music player (even a flawed disguise is still a disguise). In any case, I don't think there's any argument to be made that it isn't malware, and I'd still like to know what name it's being distributed under and who it's coming from....

Also, since we don't really know anything about the app, it's entirely possible that its description explains the SMS access away as having the ability to text your frien

However we don't need to know any of that because it's clear that the application asks for permission to send SMS, the user accepts and then the app does exactly what it said it was going to do.

This is where I'm not sure the Android security model is doing you many favors.

You download a media player, go to install it, and you get a list of things it wants to do - access media library, perhaps access contacts for sharing, and so on... and way down at the end, a little notice about accessing SMS. You might n

Even though saying a user "can't miss" something in a list of other things seems wrong to me from direct experience, I'm willing to concede that point.

Because it does not matter.

That screen is telling the user that at some theoretical point in the future, the app may want to SMS someone. Well who cares then? The user doesn't know what the app really does yet, perhaps (in the movie player case) it lets them SMS URL's of cool movies. The user has no way a

Even though saying a user "can't miss" something in a list of other things seems wrong to me from direct experience, I'm willing to concede that point.

If you read the screen you can't miss it. If you missed it, then you haven't read the screen.

Your only other choice is to prohibit software from doing things which might not be desirable to the user, including the legitimate uses of software in areas where there is also room for illegitimate uses.

So this should lead to police activity quickly enough, right? One can't (at this time) prove where the trojan came from, but it's easy enough to see who benefits and what accounts the money gets paid into. That should all get frozen, cops should kick down some doors, machines should get confiscated?

" but it's easy enough to see who benefits and what accounts the money gets paid into. "maybe not.The person who owns the account might be a legitimate business and just claim he doesn't know what the write chose him. Or the writer just picked something and random to cause random, confusion and to make a point.

Lets say you sold personalize adult SMS message for 5 bucks a pop. You're business really starts to rise. How are you to know that someone chose you at random for a PoC of malware? Or a rival isn't se

After trudging through several articles, not one mentions the application's name. It does however mention that the trojan can be packed into basically anything. It also doesn't mention that only users in Russia are affected by the SMS charges.

According to Denis Maslennikov, Senior Malware Researcher at Kaspersky Lab, there's not an exact number of infected devices available at present, but the outbreak is currently regional. For now, only Russian Android users can actually lose money after installing the Trojan, but anyone can be infected.

Also forgot to mention, it isn't in the market. It has to be manually installed, with that little box checked to allow non-market apps to be installed.

Given the number of jailbroken iPhones with OpenSSH installed, that's not a limitation at all. Turns out people are sheep, and if you give them instructions on how to install your SuperNewCoolAndroidApp.apk file, they'll do it. They'll blithely check that box, click OK on the permissions dialog, etc. Make it into a YouTube video and they'll just do it like a

Here's some more info [securelist.com]. Still no link/name/source of the app. They could have paid someone to write a proof of concept/hypothetical app that did that, so they could do a press release and plug in their upcoming product.

Bad summary? I'd say bogus story perhaps even FUD. Given that they haven't told us the name of the app, and that it has to be installed from a source other than the market (which surprise, surprise, wasn't in ANY of the stories I read about this today)... I'd say this story is bullcrap.

What is clearly needed here is insurance against this type of loss. Then nobody will be a victim anymore... well, as long as they have insurance.

The problem is that we started out giving hammers to 6 year-old boys without any instruction. This was the DOS command line in 1982. The result was predictable and painful for some but for the most part it is possible to use a PC now, 25 years later. But we still have huge volumes of phishing and botnet emails because people do fall for this stuff.

The comparison is grossly unfair. Better one: If having unprotected sex with various partners gives you a STD, then you share a large part of the blame.

Downloading some software from somewhere and then running it is a high-risk activity. Walking down an alley at 3 in the morning does (at least here) not come with any significant risk of getting raped.

People that did not bother to find out the risk-level for an activity or knowingly did high-risk things, always share the responsibility for a bad outcome.

My apologies to your survivors (or congratulations, their decision) but you neglected to wear body armor capable of withstanding an anti-materiel round. You got what you deserved for being so careless.

A company that makes money selling anti-virus software claims there is a Trojan that there android release will fix.

Ok, I'm willing, for the moment, to say thats true and has happened.The article doesn't give any information. Was this spread through the market, or did some select the option to install apps from anywhere and then get hit?

OTOH, this does follow my belief that online and smart phone financial transactions will end. The sheer number and easy or scamming people can't be stopped.

Any suggestions for an andriod app that can quickly do a security audit (assuming the API's allow it)?

I'm thinking that it would list in table form all the installed applications (the rows) with all the security access types (columns) with all the cells checked or unchecked. This would allow an "at a glance" review of all the apps without having to navigate into the management of each one.

No trojan would spread all that rapidly unless it was spread via the marketplace, and anyone submitting anything to the marketplace (even free stuff) has to go through a credit background check. Not to mention Google has the ability (and has used it) to remotely wipe programs installed from the marketplace.

There is something that I miss in all of the reports I've read about this "trojan", they fail to actually name the app that's supposedly causing all this. Seriously, was the application called "fakeplayer" or something?It's useful information to know what app is malicious, don't you think? So that you can avoid installing it, or to remove it from your phone before it causes more damage.

"Oh and why do you capitalize the 'middle east'? Is it a country now, worthy of promotion to a proper noun?"

Doesn't need to be a country. Region names are capitalized when they stand alone and are widely understood to designate a specific geographic (or geopolitical) area. e.g. Southern California, the Bay Area, the Middle East.

Wait, what? You answer a rhetorical question by telling me that the mercenaries are mine?

"We" includes you. In this case it most certainly does not include me. But, no, I didn't tell you that the mercenaries were yours: you said that you were having trouble hiring any. I offered some suggestions.

And that you have a record of their kill statistics?

While the details are secret (well, until recently...) according to news reports totals run to 200,000 or so in the Middle East recently (mostly civilians,

Nearly every feature on Android is an app (including the phone dialer), even if it's located in the firmware. I would guess most phones come with the "Music" app in firmware. But that doesn't mean people can't download other music players, install them, and use them. Other players may offer features not found in the standard app (visualizations, equalization, special effects, library management).